# Mondoir Vault > The Ledger of Record — a UAE-resident, multi-tenant document management platform for businesses that hold other people's papers. Mondoir Vault is a B2B SaaS platform built for UAE professional services firms — accountants, law firms, PRO services, business-setup consultants, immigration consultants, brokers, advisors. Tenants archive corporate documents and identity papers, track visa and trade-licence expiries, issue VAT-compliant invoices, and give their own clients self-service access through a per-tenant subdomain. It is operated from the United Arab Emirates by Mondoir LLC FZ (https://mondoir.com), a Meydan Free Zone company (commercial licence 2644759.01). Editorial positioning: a "ledger of record" for operators who manage truth. Tagline: "Discipline over decoration." Bilingual UI in English and Arabic with full RTL support. ## Capabilities - **Encrypted document archival** — Upload PDFs and images of trade licences, visas, passports, Emirates IDs, contracts, and more. Files are encrypted client-side per document, then stored in OCI Object Storage in Abu Dhabi. - **Visa and licence expiry tracking** — Per-client and per-employee records with reference numbers and expiry dates. Tenant admins receive a single weekly Monday digest covering everything expiring within the next 60 days; clients receive milestone alerts on their own documents. - **In-house document extraction** — On upload of an Emirates ID, passport, UAE visa, or TRN/VAT certificate, in-house OCR (Arabic + English) and per-document-type parsers pre-fill the reference number, expiry date, and holder name. Mismatched holder names require an explicit operator override and are recorded in the audit log. - **Client portal** — Each tenant operates on its own subdomain. Clients see only their own documents, requests, and invoices through a self-service portal. - **Document requests** — Tenants send their clients a list of documents to upload; clients fulfil through the portal without a tenant account. - **Bilingual UI** — Full English and Arabic interface with right-to-left layout. Invoices render mixed Arabic/English line items with embedded Arabic glyph fonts. - **VAT-compliant invoicing** — Generate invoices with TRN capture and Stripe-hosted payment links. - **Multi-tenant isolation** — Each tenant is isolated on every request, not only at sign-in. Cross-tenant access is rejected at the data layer. - **Granular admin permissions** — One owner per tenant; additional administrators receive per-feature grants. - **Audit logging** — Logins, downloads, OTP attempts, permission denials, billing events, encryption-key events, and admin changes are logged with actor, IP, and timestamp. Retained for 24 months by default. ## Security and data residency - **UAE-only data residency.** All persistent customer data — uploaded documents, the application database, search indexes, audit logs, backups, and the master encryption key — resides exclusively in Oracle Cloud Infrastructure's Abu Dhabi region (`me-abudhabi-1`). Application servers, document processing, and OCR run in the same region. Nothing replicates to a non-UAE region. - **Three-layer envelope encryption.** AES-256-GCM with per-document data keys, wrapped by per-tenant keys, wrapped by a master key held in OCI Vault (hardware-backed, never exposed to the platform in raw form). - **Crypto-shredding on tenant delete.** Deleting a tenant destroys its tenant key; even if encrypted bytes were recovered from backup media, no one — including Mondoir — could decrypt them. - **Mandatory TOTP MFA for tenant administrators.** Sign-in is a 6-digit single-use email code followed by TOTP from an authenticator app. Recovery codes and lockouts protect against brute force. - **Single-use download URLs.** Document downloads are issued via short-lived links bound to the requester's authenticated session. - **Malware scanning** on upload, with fail-closed defaults in production. - **Email safety.** Bounces and complaints are suppressed automatically and webhook signatures are cryptographically verified. - **TLS 1.2+ everywhere** (TLS 1.3 preferred). Cloudflare terminates at the edge for DDoS protection and re-encrypts to the Abu Dhabi origin over a mutually-authenticated TLS channel; the edge does not read request bodies, cookies, or authentication headers. ## Sub-processors (limited, in-transit only) Three third-party processors handle limited categories of in-transit data outside the UAE. **None of them ever receives, processes, or stores document content.** - **Cloudflare** — TLS termination and DDoS protection at the edge. - **Resend** — transactional email delivery (recipient address, subject, body of notification text only; no documents attached or quoted). - **Stripe** — subscription billing (billing contact, payment method, invoice line items; card data is submitted directly to Stripe via Stripe Elements and never touches Mondoir Vault servers). ## Compliance frameworks Built and operated to remain consistent with UAE Federal Decree-Law No. 45 of 2021 (PDPL), Federal Decree-Law No. 46 of 2021 (Electronic Transactions and Trust Services), Federal Decree-Law No. 34 of 2021 (Cybercrime), DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021, and UAE Federal Tax Authority (FTA) invoicing requirements. Mondoir Vault is **not** currently configured for storage of regulated health records under UAE Federal Law No. 2 of 2019; tenants subject to that law should contact us before uploading patient records. A standard Data Processing Agreement is published at `/dpa`; the full compliance posture, sub-processor list, and retention schedule live at `/compliance`. ## Billing Subscriptions are billed in AED via Stripe: a one-time **setup fee** plus a yearly **per-terabyte storage fee**. No per-user and no per-document fees. The current rates and a multi-year cost matrix are published at `/pricing`. Tenants can request a full workspace data export before final deletion by writing to `legal@docsafe.ae`. ## Built for Accountants, advocates and law firms, auditors, business-setup consultants, corporate service providers, family offices, HR and recruitment agencies, immigration consultants, insurance brokers, management consultancies, notaries and translators, PRO service firms, property managers, tax advisors, trade-licence renewers — any UAE business that receives sensitive documents from clients and is trusted to return them. ## Contact - Legal, privacy, compliance, security incidents, audit evidence, sub-processor lists, regulator enquiries, and DPO contact: **legal@docsafe.ae** - Product help, account, login, billing questions: **support@docsafe.ae** - Partnerships, resellers, integrators, and press: **admin@docsafe.ae** We acknowledge every enquiry within one UAE business day. Strictly business-to-business. The platform is not for personal use and is not currently configured for regulated health records.